3.6.7 What are some other block ciphers?

Many of the block ciphers proposed in recent years, including those listed
below, were developed (at least in part) either as successors to DES or
as candidates for the Advanced Encryption Standard, AES. See Sections 3.2
and 3.3 for more information on DES and AES, respectively.
For descriptions of the five finalists to the AES (MARS, Rijndael, RC6,
Serpent, and Twofish), see Question 3.3.2.

IDEA (International Data Encryption Algorithm) [LMM92]
is the second version of a block cipher designed and presented by Lai
and Massey [LM91]. It is a 64-bit
iterative block cipher with a 128-bit key. The encryption process requires
eight complex rounds. While the cipher does not have a Feistel structure
(see Question 2.1.4), decryption is carried
out in the same manner as encryption once the decryption subkeys have
been calculated from the encryption subkeys. The cipher structure was
designed to be easily implemented in both software and hardware, and the
security of IDEA relies on the use of three incompatible types of arithmetic
operations on 16-bit words. However some of the arithmetic operations
used in IDEA are not that fast in software. As a result the speed of IDEA
in software is similar to that of DES.

One of the principles used during the design of IDEA was to facilitate
analysis of its strength against differential cryptanalysis (see Question 2.4.5)
and IDEA is considered to be immune to differential cryptanalysis. Furthermore
there are no linear cryptanalytic attacks on IDEA and there are no known
algebraic weaknesses in IDEA. The most significant cryptanalytic result
is due to Daemen [DGV94], who discovered
a large class of 251 weak keys (see Question 2.4.5)
for which the use of such a key during encryption could be detected easily
and the key recovered. However, since there are 2128 possible
keys, this result has no impact on the practical security of the cipher
for encryption provided the encryption keys are chosen at random. IDEA
is generally considered to be a very secure cipher and both the cipher
development and its theoretical basis have been openly and widely discussed.

SAFER (Secure And Fast Encryption Routine) is a non-proprietary block
cipher developed by Massey in 1993 for Cylink Corporation [Mas93].
It is a byte-oriented algorithm with a 64-bit block size and, in one version,
a 64-bit key size. It has a variable number of rounds, but a minimum of
six rounds is recommended. Unlike most recent block ciphers, SAFER has
slightly different encryption and decryption procedures. Only byte-based
operations are employed to ensure its utility in smart card-based applications
that have limited processing power. When first announced, SAFER was intended
to be implemented with a key of length 64 bits and it was accordingly
named SAFER K-64. Another version of SAFER was designed that could handle
128-bit keys and was named SAFER K-128. A variant - SAFER+ - was submitted
to the AES, but the algorithm did not qualify for the second round, due
to its lack of speed.

Early cryptanalysis of SAFER K-64 [Mas93]
showed that SAFER K-64 could be considered immune to both differential
and linear cryptanalysis (see Question 2.4.5)
when the number of rounds is greater than six. However, Knudsen [Knu95]
discovered a weakness in the key schedule of SAFER K-64 and a new key
schedule for the family of SAFER ciphers soon followed. These new versions
of SAFER are denoted SAFER SK-64 and SAFER SK-128 where SK denotes a strengthened
key schedule (though one joke has it that SK really stands for ``Stop
Knudsen'', a wise precaution in the design of any block cipher). Most
recently, a version of SAFER called SAFER SK-40 was announced, which uses
a 40-bit key and has five rounds (thereby increasing the speed of encryption).
This reduced-round version is secure against differential and linear cryptanalysis
in the sense that any such attack would require more effort than a brute-force
search for a 40-bit key.

The Fast Data Encipherment Algorithm (FEAL) was presented by Shimizu
and Miyaguchi [SM88] as an alternative
to DES. The original cipher (called FEAL-4) was a four-round cryptosystem
with a 64-bit block size and a 64-bit key size and it was designed to
give high performance in software. Soon a variety of attacks against FEAL-4
were announced including one attack that required only 20 chosen plaintexts
[Mur90]. Several results in the cryptanalysis
of FEAL-8 (eight-round version) led the designers to introduce a revised
version, FEAL-N, where N denoted the number of rounds. Biham and Shamir
[BS91b] developed differential cryptanalytic
attacks against FEAL-N for up to 31 rounds. In 1994, Ohta and Aoki presented
a linear cryptanalytic attack against FEAL-8 that required 225
known plaintexts [OA94], and other
improvements [KR95a] followed. In
the wake of these numerous attacks, FEAL and its derivatives should be
considered insecure.

Skipjack is the encryption algorithm contained in the Clipper chip (see
Question 6.2.4), designed by the NSA (see
Question 6.2.2). It uses an 80-bit key to
encrypt 64-bit blocks of data. Skipjack is expected to be more secure
than DES in the absence of any analytic attack since it uses 80-bit keys.
By contrast, DES uses 56-bit keys.

Initially, the details of Skipjack were classified and the decision
not to make the details of the algorithm publicly available was widely
criticized. Some people were suspicious that Skipjack might not be secure,
either due to an oversight by its designers, or by the deliberate introduction
of a secret trapdoor. Since Skipjack was not public, it could not be widely
scrutinized and there was little public confidence in the cipher.

Aware of such criticism, the government invited a small group of independent
cryptographers to examine the Skipjack algorithm. They issued a report
[BDK93] that stated that although
their study was too limited to reach a definitive conclusion, they nevertheless
believed Skipjack was secure.

In June 1998 Skipjack was declassified by the NSA. Early cryptanalysis
has failed to find any substantial weakness in the cipher.

Blowfish is a 64-bit block cipher developed by Bruce Schneier [Sch93].
It is a Feistel cipher (see Question 2.1.4)
and each round consists of a key-dependent permutation and a key-and-data-dependent
substitution. All operations are based on XORs and additions on 32-bit
words. The key has a variable length (with a maximum length of 448 bits)
and is used to generate several subkey arrays. This cipher was designed
specifically for 32-bit machines and is significantly faster than DES.
There was an open competition for the cryptanalysis of Blowfish supported
by Dr. Dobb's Journal with a $1000 prize. This contest ended in April
1995 [Sch95]; among the results were
the discoveries of existence of certain weak keys (see Question 2.4.5),
an attack against a three-round version of Blowfish, and a differential
attack against certain variants of Blowfish. However, Blowfish can still
be considered secure, and Schneier has invited cryptanalysts to continue
investigating his cipher. The AES candidate Twofish is based on Blowfish.

CAST-128 is another popular 64-bit Feistel cipher allowing key sizes
up to 128 bits. The name CAST stands for Carlisle Adams and Stafford Tavares,
the original inventors of CAST. CAST-128 consists of 16 non-identical
rounds, where each round is built up by simple operations such as integer
and bitwise addition and rotation. CAST-128 is owned by Entrust Technologies
but is free for commercial as well as non-commercial use. The algorithm
has been widely adopted by the internet community and is part of products
from Pretty Good Privacy, IBM, and Microsoft. CAST-256 is a freely available
extension of CAST-128 accepting up to 256 bits of key size and with a
128-bit block size. CAST-256 was one of the original candidates for the
AES. Though no security weaknesses were found, the algorithm did not qualify
for the second round. CAST-256 and the finalist Serpent share the property
of strongly favoring security over speed, and since it is considered as
unlikely that two ``slow'' algorithms would be selected for the AES, only
one of them qualified for the second round. We emphasize that CAST-256
can be considered as secure.